You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2017/03/07 21:18:38 UTC
[jira] [Commented] (AMBARI-20349) When SPNEGO authentication is
enabled for Hadoop in a cluster with NN HA, PXF Process alert fails
[ https://issues.apache.org/jira/browse/AMBARI-20349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900180#comment-15900180 ]
Robert Levas commented on AMBARI-20349:
---------------------------------------
FYI, [~jaoki], [~bhuvnesh2703]
> When SPNEGO authentication is enabled for Hadoop in a cluster with NN HA, PXF Process alert fails
> -------------------------------------------------------------------------------------------------
>
> Key: AMBARI-20349
> URL: https://issues.apache.org/jira/browse/AMBARI-20349
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.2.2
> Reporter: Robert Levas
> Assignee: Robert Levas
> Labels: PHD, PXF, kerberos
> Fix For: 2.5.0
>
>
> When SPNEGO authentication is enabled for Hadoop in a cluster where NN HA is enabled, PXF Process alert fails with the following errors in the ambari-agent.log file
> {noformat}
> ERROR 2017-03-07 18:03:58,417 jmx.py:44 - Getting jmx metrics from NN failed. URL: http://c6401.ambari.apache.org:50070/jmx?qry=Hadoop:service=NameNode,name=FSNamesy
> stem
> Traceback (most recent call last):
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/jmx.py", line 41, in get_value_from_jmx
> data_dict = json.loads(data)
> File "/usr/lib/python2.6/site-packages/ambari_simplejson/__init__.py", line 307, in loads
> return _default_decoder.decode(s)
> File "/usr/lib/python2.6/site-packages/ambari_simplejson/decoder.py", line 335, in decode
> obj, end = self.raw_decode(s, idx=_w(s, 0).end())
> File "/usr/lib/python2.6/site-packages/ambari_simplejson/decoder.py", line 353, in raw_decode
> raise ValueError("No JSON object could be decoded")
> ValueError: No JSON object could be decoded
> INFO 2017-03-07 18:04:02,769 logger.py:71 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --negotiate -u : -s '"'"'http://c6402.ambari.apache.org:50070/jmx?qry=Hadoop:service=NameNode,name=FSNamesystem'"'"' 1>/tmp/tmphTXg76 2>/tmp/tmp5bm2nM''] {'quiet': False}
> INFO 2017-03-07 18:04:02,797 logger.py:71 - call returned (0, '')
> ERROR 2017-03-07 18:04:02,798 jmx.py:44 - Getting jmx metrics from NN failed. URL: http://c6402.ambari.apache.org:50070/jmx?qry=Hadoop:service=NameNode,name=FSNamesystem
> Traceback (most recent call last):
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/jmx.py", line 41, in get_value_from_jmx
> data_dict = json.loads(data)
> File "/usr/lib/python2.6/site-packages/ambari_simplejson/__init__.py", line 307, in loads
> return _default_decoder.decode(s)
> File "/usr/lib/python2.6/site-packages/ambari_simplejson/decoder.py", line 335, in decode
> obj, end = self.raw_decode(s, idx=_w(s, 0).end())
> File "/usr/lib/python2.6/site-packages/ambari_simplejson/decoder.py", line 353, in raw_decode
> raise ValueError("No JSON object could be decoded")
> ValueError: No JSON object could be decoded
> {noformat}
> *Cause*
> During the test for the {{PXF Process}} alert, the Active NN is found using a JMX call. This call requires SPNEGO authentication since SPNEGO authentication is turned on for the Hadoop web interfaces. However, a valid Kerberos ticket is not found in the configured user's Kerberos ticket cache. In this case, the configured users is the HDFS user - which technically is not necessary.
> This occurs in
> {code:title=common-services/PXF/3.0.0/package/alerts/api_status.py:137}
> if CLUSTER_ENV_SECURITY in configurations and configurations[CLUSTER_ENV_SECURITY].lower() == "true":
> if 'dfs.nameservices' in configurations[HDFS_SITE]:
> namenode_address = get_active_namenode(ConfigDictionary(configurations[HDFS_SITE]), configurations[CLUSTER_ENV_SECURITY], configurations[HADOOP_ENV_HDFS_USER])[1]
> else:
> namenode_address = configurations[HDFS_SITE]['dfs.namenode.http-address']
> token = _get_delegation_token(namenode_address,
> configurations[HADOOP_ENV_HDFS_USER],
> configurations[HADOOP_ENV_HDFS_USER_KEYTAB],
> configurations[HADOOP_ENV_HDFS_PRINCIPAL_NAME],
> None)
> commonPXFHeaders.update({"X-GP-TOKEN": token})
> {code}
> Inside the call at
> {code}
> namenode_address = get_active_namenode(ConfigDictionary(configurations[HDFS_SITE]), configurations[CLUSTER_ENV_SECURITY], configurations[HADOOP_ENV_HDFS_USER])[1]
> {code}
> *Solution*
> Ensure the configured user's Kerberos ticket cache contains a valid ticket before querying for the active NN. Possibly change the acting user to one executing the PXF component.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)